Searching events

POST /api/v2/events

Only search queries or aggregation queries (SELECT) are allowed.

Access: General administrator, Tenant administrator, Tier 2 analyst, Tier 1 analyst, Junior analyst, Access to NCIRCC, Access to CII.

Request body

Format: JSON

Request

Name

Data type

Mandatory

Description

Value example

period

Period

Yes

Search period

 

sql

string

Yes

SQL query

SELECT * FROM events WHERE Type = 3 ORDER BY Timestamp DESC LIMIT 1000

SELECT sum(BytesOut) as TotalBytesSent, SourceAddress FROM events WHERE DeviceVendor = 'netflow' GROUP BY SourceAddress LIMIT 1000

SELECT count(Timestamp) as TotalEvents FROM events LIMIT 1

ClusterID

string

No, if the cluster is the only one

Storage cluster ID. You can find it by requesting a list of services with kind = storage. The cluster ID will be in the resourceID field.

00000000-0000-0000-0000-000000000000

rawTimestamps

bool

No

Display timestamps in their current format—Milliseconds since EPOCH. False by default.

true or false

emptyFields

bool

No

Display empty fields for normalized events. False by default.

true or false

Period

Name

Data type

Mandatory

Description

Value example

from

string

Yes

Lower bound of the period in RFC3339 format. Timestamp >= <from>

2021-09-06T00:00:00Z (UTC)

2021-09-06T00:00:00.000Z (UTC, including milliseconds)

2021-09-06T00:00:00Z+00:00 (MSK)

to

string

Yes

Upper bound of the period in RFC3339 format.

Timestamp <= <to>

2021-09-06T00:00:00Z (UTC)

2021-09-06T00:00:00.000Z (UTC, including milliseconds)

2021-09-06T00:00:00Z+00:00 (MSK)

Response

HTTP code: 200

Format: JSON

Result of executing the SQL query

Possible errors

HTTP code

Description

message field value

details field value

400

The lower bounds of the range is not specified

period.from required

-

400

The lower bounds of the range is in an unsupported format

cannot parse period.from

variable

400

The lower bounds of the range is equal to zero

period.from cannot be 0

-

400

The upper bounds of the range is not specified

period.to required

-

400

The upper bounds of the range is in an unsupported format

cannot parse period.to

variable

400

The upper bounds of the range is equal to zero

period.to cannot be 0

-

400

The lower bounds of the range is greater than the upper bounds

period.from cannot be greater than period.to

-

400

Invalid SQL query

invalid sql

variable

400

An invalid table appears in the SQL query

the only valid table is `events`

-

400

The SQL query lacks a LIMIT

sql: LIMIT required

-

400

The LIMIT in the SQL query exceeds the maximum (1000)

sql: maximum LIMIT is 1000

-

404

Storage cluster not found

cluster not found

-

406

The clusterID parameter was not specified, and many clusters were registered in KUMA

multiple clusters found, please provide clusterID

-

500

No available cluster nodes

no nodes available

-

50x

Any other internal errors

event search failed

variable

Page top